Handling GPDR in Dynamics 365

Microsoft Dynamics 365 enables data integrity to comply with GDPR

An example which shows that Microsoft is taking the new requirements for the companies' duty to protect the privacy and security of citizens seriously, is seen in particular in Microsoft Dynamics 365, where a number of features such as identity and access control, encrypted connections and data centers make it easier for the companies to handle the new requirements.

Dynamics 365 provides tools that help locate, manage and protect your customers' data in the cloud, and compile the necessary reports and documentation required to comply with the requirements of the EU General Data Protection Regulation (GDPR).

Compliance with GDPR is an ongoing process and shared responsibility that involves both the right tools and procedures. Dynamics 365 already provides a number of effective features contributing to the company's ability to handle the new requirements the GDPR Regulation brings with it, but Microsoft has the ambition to deliver the best data protection platform on the market and therefore continuously develops additional tools and functionality to help companies comply with GDPR.

The best way to comply with the GDPR rules will be for the majority of companies to begin with focusing on four important steps. Dynamics 365 provides effective tools and solutions to handle each of these steps.

1. Find data - Evaluate your business

First of all, you should evaluate whether GDPR applies to your particular company and if it does, what data is under your control and subject to the GDPR Regulation. In other words, effective data management requires an understanding of what data the company holds and where it is located.

A classification scheme which applies to the entire company, can help respond to requests from registered persons. Such a scheme allows for faster identification and processing of personal data requests.

Microsoft Dynamics 365 can help find and classify personal data. Search and identify personal data in Dynamics 365 with:

• Quick search and advanced search
• Relevant Search
• filtering
• Dynamics 365 Web API

2. Data Management - Manage personal data with tools in Dynamics 365
The purpose of GDPR is to give registered citizens, more control over how their personal data are collected and used. Managing access to data and control over how data is used and accessed, is fundamental in order to live up to and comply with the GDPR Regulation. Dynamics 365 allows you to authenticate users and manage access to personal data. With Dynamics 365 companies have the ability to:

• Display customized privacy statements and requests, as well as obtain consent for the completion of activities
• Correction of inaccurate or incomplete personal data using different methods
• Assess whether a data erasure request meets the applicable GDPR requirements for deleting personal data
• Live up to the requirements which concerns data transfer requests by taking advantage of the data execution features in Dynamics 365

As a company, it is possible to use advanced search functionality to identify the data subject and the data related to the person concerned.

3. Security - Protect your data with built-in tools

The Dynamics 365 services are continuously developed through the Microsoft Secure Development Lifecycle, which includes methods designed specifically for the protection of personal information. Dynamics 365, and related tools, makes it possible to comply with GDPR's data protection requirements, as the platform provides ways to secure personal data, detect and respond to data leaks and facilitate ongoing testing of security procedures. Dynamics 365 provides:

• Protection of personal data in motion and stagnant
• Supports Azure Active Directory (AAD) for managing user identities
• You will be able to assign and restrict user access to personal data via security roles and fields and security models based on hierarchy
• Dynamics 365 audit allows to help detect data breaches

4. Reports - Tools for maintaining detailed records
With GDPR, the EU has set completely new standards for transparency, accountability and registration. Companies that handle personal data are now responsible for keeping detailed records in accordance with the GDPR requirements. Dynamics 365 provides tools that help businesses meet data reporting requirements. With Microsoft Dynamics 365 you can:

• Track and register changes in personal data using audit functionality
• Track and record process activities relevant to impact analysis or data protection assessments (for example DPIA) using audit functionality
• GDPR make demands that concerns the flow of personal data to and from EU as well as data flow from a company to third party providers. Microsoft's regional data center strategy for Dynamics 365 reduces unnecessary exposure to cross-border data transfer

Contractual obligations

Microsoft offers contractual obligations for all of their business cloud services, including Dynamics 365 Business Central. These obligations include detailed data protection terms, EU model clauses and compliance with Ethe U-USA's Privacy Shield Framework, which concerns collection, use and storage of personal data transferred from the EU to the United States. In addition, Microsoft also maintains a list of third party service providers that may have access to customer data and restrict access to customer data by third parties.

Data Protection Impact Assessments - DPIA

If a company handles personally sensitive information, it may be required to conduct a privacy assessment (Data Protection Impact Assessments or DPIAs). To help customers seeking information that can help them perform a data protection assessment (DPIA) that addresses the company's use of Dynamics 365, Microsoft provides detailed information about their handling of customer data and the security measures set up to protect these data.